Privacy Policy

Effective May 2026 — Plain English, no legalese.

Site-wide

Cookies

We set one session cookie (qaw_sid) when you visit any QuickAtWork tool. It has no expiry on the server — it simply lets us count usage against your daily quota. We do not use advertising cookies, analytics pixels, or third-party tracking scripts.

Server logs

Our hosting provider (Fly.io) retains standard HTTP access logs (IP, path, status code, timestamp). We do not process these logs ourselves beyond debugging outages. They are automatically purged per Fly.io’s retention policy.

No account required

Most tools work without an account. When signed-in tiers launch (magic-link email auth), we will update this page with the additional data we store for accounts.

Email Validator

Short version: When you validate an email address, we log the address (hashed + in plaintext-parts) to power a feature that suggests working formats to other users at the same domain. Plaintext is deleted after 90 days. You can delete your records at any time.

What we store when you validate an email

For every email you submit, we record:

Email hash — sha256(lower(email) + secret_salt). Useful for deduplication; cannot be reversed to recover the original address.
Local part (the bit before @) in plain text — e.g. firstname.lastname. Used to detect format patterns.
Domain in plain text — e.g. acme.com. Retained indefinitely as an aggregate key.
Format pattern — a shape like name.name derived from the local part. No email content.
Verdict, score, provider family (e.g. “microsoft”), your tier (anonymous / free / paid), and whether the check was single or bulk.
Session ID — the qaw_sid cookie value. This is not linked to your identity unless you create an account.

Why we store this

We use aggregate data to suggest working email formats. For example: if 47 of the last 53 checks at acme.com used the firstname.lastname pattern and came back deliverable, we surface that to someone who checked a different format at the same domain. This is purely aggregate signal — no individual address is shown to any other user.

How long we keep it

Individual check records (including local part in plaintext) are deleted after 90 days by a daily background job.
Aggregate statistics (domain + format pattern + verdict counts, no email identifiers) are retained indefinitely. They are non-PII and power the format-suggestion feature.

Your right to deletion

Click “Forget my checks” at the bottom of the Email Validator tool. This deletes all check_history rows tied to your current browser session immediately.

You can also call the API directly:

POST /api/email-validator/forget (with your qaw_sid cookie)

Aggregate statistics are not reversed after a forget request. This is intentional: the aggregate counters contain no information about you specifically (they’re just “47 deliverable at acme.com with pattern name.name”). Decrementing them would corrupt the network-effect signal that benefits all other users. We document this trade-off honestly here.

Hashing and salt rotation

The secret salt used for email hashing lives only in our server environment (Fly.io secrets). If the salt is rotated, historical hashes become un-joinable with new hashes. We would document any salt rotation here and treat it as a privacy-protective event.

Where your data is stored

All data is stored in SQLite on a Fly.io volume in the Singapore (sin) region. EU residency (Frankfurt) is on the roadmap for users who require it.

No sharing, no selling

We do not sell, rent, or share your data with third parties. The Email Validator does not call any external enrichment APIs with your submitted addresses.

GDPR

If you are in the EU and believe your rights under GDPR are not addressed by the “Forget my checks” mechanism, contact us via the issue tracker at github.com/your-org/quickatwork/issues. EU data residency is a planned Phase 2 feature.